ISPconfig cluster + Let's encrypt problem

Hi, I have question regarding to clustered ISPconfig and Let's encrypt functionality.
I've created two servers ISPconfig cluster according to this article. Everything works just fine except Let's encrypt.
Problem description:
When I enable Let's encrypt on any website it triggers letsencrypt on both servers but only one is able to finish verification because DNS A is pointing only to one of this two clustered servers. Result is that letsencrypt cert is created and available on one server in the cluster but globally it fails. What I can do then is just go to MySQL and manually configure SSL and letsencrypt enabled and everything works just fine. This is very annoying workaround and it's not possible to do this for every website.
Do you have any idea, solution or recommendation for clustered ISPconfig and Let's encrypt?

I guess the only solution is to put the /etc/letsencrypt directory and the directory /usr/local/ispconfig/interface/acme on a shared network filesystem (e.g. by using NFS) so that both servers share the same LE directories.

Hi, I have question regarding to clustered ISPconfig and Let's encrypt functionality.
I've created two servers ISPconfig cluster according to this article. Everything works just fine except Let's encrypt.
Problem description:
When I enable Let's encrypt on any website it triggers letsencrypt on both servers but only one is able to finish verification because DNS A is pointing only to one of this two clustered servers. Result is that letsencrypt cert is created and available on one server in the cluster but globally it fails. What I can do then is just go to MySQL and manually configure SSL and letsencrypt enabled and everything works just fine. This is very annoying workaround and it's not possible to do this for every website.
Do you have any idea, solution or recommendation for clustered ISPconfig and Let's encrypt?

Thanks

Click to expand...

Interesting solution but I was wondering on what will happen if the host failed since the purpose is to run the mirror server, if the main server failed.

Certificates are copied by ISPconfig from letsencrypt folder to website ssl folder automatically (for example /var/www/clients/client1/web5/ssl/). All folders in /var/www are mirrored on both servers so if you lost primary server everything will work fine except new LE request.
For me it's perfectly fine because loss of primary server is emergency situation and must be solved asap (it has higher priority than adding new websites).

Rsync cannot be used for these two folders as they have to contain the same content in real-time. Otherwise, LE will fail when it would try to create the verification token on server one but the http request is received on server2 when it's an active/active cluster. For an active/passive cluster, rsync might work, but you would have to modify the ispconfig code a little bit to ensure that certbot is never invoked on the slave server and you will have to ensure that rsync for the ssl cert is always run before ispconfig tries to configure a vhost, otherwise apache or nginx might fail when the SSL cert on the slave does not exist yet at that time.

Just a note: We plan to implement DNS auth for LE (it is required for wildcard certs anyway) and this will make things easier as we don't have to share the acme directory then anymore in realtime. And replication of the cert itself might happen in ispconfig then. But that's for the future, so not a solution at the moment.